From f881788104d309aef7a75852e363f2b1de615ead Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 20 Jan 2026 13:47:56 +0000
Subject: [PATCH 1/5] Add Seal Security CLI integration to GitHub Actions
 workflows

Integrate seal-community/cli-action in fix mode with fix_mode=all
to both release.yml and validate-readme.yml workflows. The CLI step
is added after setup-go and before the build steps to apply security
fixes to dependencies.
---
 .github/workflows/release.yml         | 6 ++++++
 .github/workflows/validate-readme.yml | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index df94cd4..5f64536 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -41,6 +41,12 @@ jobs:
         with:
           go-version-file: 'go.mod'
 
+      - name: 'Seal Security CLI'
+        uses: 'seal-community/cli-action@latest'
+        with:
+          mode: fix
+          fix_mode: all
+
       - name: 'Checkout Starter Workflows'
         uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
         with:
diff --git a/.github/workflows/validate-readme.yml b/.github/workflows/validate-readme.yml
index 97007f3..cceb889 100644
--- a/.github/workflows/validate-readme.yml
+++ b/.github/workflows/validate-readme.yml
@@ -42,6 +42,12 @@ jobs:
         with:
           go-version-file: 'go.mod'
 
+      - name: 'Seal Security CLI'
+        uses: 'seal-community/cli-action@latest'
+        with:
+          mode: fix
+          fix_mode: all
+
       - name: 'Generate Readme'
         run: |-
           go run ./scripts/generate/... readme

From b9c48f370ebbcebb34237e77b5e1e7f1f0ed78de Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 20 Jan 2026 13:50:38 +0000
Subject: [PATCH 2/5] Add SEAL_TOKEN and project configuration to Seal CLI
 steps

Configure the Seal Security CLI action with:
- token: referenced from GitHub secrets (SEAL_TOKEN)
- project: workflows
---
 .github/workflows/release.yml         | 2 ++
 .github/workflows/validate-readme.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5f64536..bd04ff3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -46,6 +46,8 @@ jobs:
         with:
           mode: fix
           fix_mode: all
+          token: ${{ secrets.SEAL_TOKEN }}
+          project: workflows
 
       - name: 'Checkout Starter Workflows'
         uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
diff --git a/.github/workflows/validate-readme.yml b/.github/workflows/validate-readme.yml
index cceb889..3d67d38 100644
--- a/.github/workflows/validate-readme.yml
+++ b/.github/workflows/validate-readme.yml
@@ -47,6 +47,8 @@ jobs:
         with:
           mode: fix
           fix_mode: all
+          token: ${{ secrets.SEAL_TOKEN }}
+          project: workflows
 
       - name: 'Generate Readme'
         run: |-

From 6fb0c948d4ac21637cf5f72b7ad8826ffa6542f0 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 20 Jan 2026 13:52:35 +0000
Subject: [PATCH 3/5] Use SEAL_TOKEN directly in workflow files

The token only allows package downloads and doesn't pose a security
risk, so it can be included directly rather than via secrets.
---
 .github/workflows/release.yml         | 2 +-
 .github/workflows/validate-readme.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bd04ff3..f7bd4da 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -46,7 +46,7 @@ jobs:
         with:
           mode: fix
           fix_mode: all
-          token: ${{ secrets.SEAL_TOKEN }}
+          token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImJhYzE2Mjc3In0.eyJzdWIiOiI4N2MwMTU0YS1hYTNkLTRiYmUtYTQ2MS1mNTlmYTQ0ZGJhNTEiLCJ0eXBlIjoidGVuYW50QWNjZXNzVG9rZW4iLCJ0ZW5hbnRJZCI6IjA3Mjg4YWE4LThlZjktNDc0Zi04NmRmLTM0N2QxMmE3MTQyNCIsImFwcGxpY2F0aW9uSWQiOiIwMWQ3NTcxMy04NjZlLTRlZGYtODQ3Zi1lZDkwYTk0Nzg1ZGIiLCJyb2xlcyI6WyJGRVRDSC1ST0xFUy1CWS1BUEkiXSwicGVybWlzc2lvbnMiOlsiRkVUQ0gtUEVSTUlTU0lPTlMtQlktQVBJIl0sImF1ZCI6ImJhYzE2Mjc3LTVjYmUtNDA3Yy04MjM5LWRmZmY3Mzk4ZWIwZSIsImlzcyI6Imh0dHBzOi8vbG9naW4uc2VhbHNlY3VyaXR5LmlvIiwiaWF0IjoxNzY4OTE2MTA1LCJleHAiOjE4MDA0NTIxMDV9.DNqqfUe4MAzeWEODD_KhNPBxE15g8avjRf1hPTYTvabEzykhu8PR1nqwNC4qXGYyKozKVl506gXSBkcwfigem5Rrr8eFaxauDZa75eTKrV3nXipbUihcy-ET7PUC9WA56Jp0GiIxtVJ0pn3M1ldfBc_QaAxBewOvLRFWQwoXMTQjVyfxOAeECL62ht1ohih5YR4A8kt4PL_HDJ-Nf2XXl6V_gpSXXbgJN739NMlRoykJSTl6By60mPEBwB5v5PzDXP8f9SIkVMw2HKTqHcFnCQ_CywWejg7dRBQ-08yDwgA-9LegiK_QcsNy1RoN6OEX6waEe26FIXPVFX0UkdY8PA
           project: workflows
 
       - name: 'Checkout Starter Workflows'
diff --git a/.github/workflows/validate-readme.yml b/.github/workflows/validate-readme.yml
index 3d67d38..734f47e 100644
--- a/.github/workflows/validate-readme.yml
+++ b/.github/workflows/validate-readme.yml
@@ -47,7 +47,7 @@ jobs:
         with:
           mode: fix
           fix_mode: all
-          token: ${{ secrets.SEAL_TOKEN }}
+          token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImJhYzE2Mjc3In0.eyJzdWIiOiI4N2MwMTU0YS1hYTNkLTRiYmUtYTQ2MS1mNTlmYTQ0ZGJhNTEiLCJ0eXBlIjoidGVuYW50QWNjZXNzVG9rZW4iLCJ0ZW5hbnRJZCI6IjA3Mjg4YWE4LThlZjktNDc0Zi04NmRmLTM0N2QxMmE3MTQyNCIsImFwcGxpY2F0aW9uSWQiOiIwMWQ3NTcxMy04NjZlLTRlZGYtODQ3Zi1lZDkwYTk0Nzg1ZGIiLCJyb2xlcyI6WyJGRVRDSC1ST0xFUy1CWS1BUEkiXSwicGVybWlzc2lvbnMiOlsiRkVUQ0gtUEVSTUlTU0lPTlMtQlktQVBJIl0sImF1ZCI6ImJhYzE2Mjc3LTVjYmUtNDA3Yy04MjM5LWRmZmY3Mzk4ZWIwZSIsImlzcyI6Imh0dHBzOi8vbG9naW4uc2VhbHNlY3VyaXR5LmlvIiwiaWF0IjoxNzY4OTE2MTA1LCJleHAiOjE4MDA0NTIxMDV9.DNqqfUe4MAzeWEODD_KhNPBxE15g8avjRf1hPTYTvabEzykhu8PR1nqwNC4qXGYyKozKVl506gXSBkcwfigem5Rrr8eFaxauDZa75eTKrV3nXipbUihcy-ET7PUC9WA56Jp0GiIxtVJ0pn3M1ldfBc_QaAxBewOvLRFWQwoXMTQjVyfxOAeECL62ht1ohih5YR4A8kt4PL_HDJ-Nf2XXl6V_gpSXXbgJN739NMlRoykJSTl6By60mPEBwB5v5PzDXP8f9SIkVMw2HKTqHcFnCQ_CywWejg7dRBQ-08yDwgA-9LegiK_QcsNy1RoN6OEX6waEe26FIXPVFX0UkdY8PA
           project: workflows
 
       - name: 'Generate Readme'

From 16e065ec024c9dbe470a7443d6ce3e425a66e439 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 20 Jan 2026 14:00:54 +0000
Subject: [PATCH 4/5] Add Seal Security CLI installation skill for Claude Code

Create a skill that helps users integrate Seal Security CLI into their
CI pipelines. The skill:
- Asks users for their Seal Security token
- Auto-generates a unique project ID
- Detects CI platform (GitHub Actions, GitLab, Docker, or other)
- Adds appropriate Seal CLI configuration for the detected platform

Users can invoke with /seal-security to install Seal in their repos.
---
 .claude/skills/seal-security/SKILL.md | 139 ++++++++++++++++++++++++++
 1 file changed, 139 insertions(+)
 create mode 100644 .claude/skills/seal-security/SKILL.md

diff --git a/.claude/skills/seal-security/SKILL.md b/.claude/skills/seal-security/SKILL.md
new file mode 100644
index 0000000..5316eab
--- /dev/null
+++ b/.claude/skills/seal-security/SKILL.md
@@ -0,0 +1,139 @@
+---
+name: seal-security
+description: Install Seal Security CLI in CI pipelines. Use when the user wants to add Seal Security, integrate security scanning, or fix vulnerable dependencies in GitHub Actions, GitLab CI, Docker, or other CI platforms.
+allowed-tools: Read, Write, Edit, Glob, Grep, Bash, AskUserQuestion
+user-invocable: true
+---
+
+# Seal Security CLI Installation
+
+This skill helps users integrate Seal Security's CLI into their CI pipelines to automatically fix vulnerable dependencies.
+
+## Workflow
+
+### Step 1: Gather Required Information
+
+First, ask the user for their Seal Security token using the AskUserQuestion tool:
+
+**Question to ask:**
+- "What is your Seal Security token?" (This is required to authenticate with the Seal artifact server)
+
+### Step 2: Generate Project ID
+
+Generate a unique project ID automatically using this format:
+```
+<repository-name>-<random-8-chars>
+```
+
+Use the repository name from the current directory (extract from git remote or folder name) and append 8 random alphanumeric characters. You can generate this with:
+```bash
+basename $(git rev-parse --show-toplevel 2>/dev/null || pwd)-$(head -c 4 /dev/urandom | xxd -p)
+```
+
+### Step 3: Detect CI Platform
+
+Search the repository for CI configuration files to determine which platform(s) are in use:
+
+| Platform | Files to look for |
+|----------|-------------------|
+| GitHub Actions | `.github/workflows/*.yml`, `.github/workflows/*.yaml` |
+| GitLab CI | `.gitlab-ci.yml` |
+| Docker | `Dockerfile`, `*.dockerfile`, `docker/Dockerfile` |
+| Other | If none found, ask the user which platform they use |
+
+### Step 4: Install Seal Security CLI
+
+Based on the detected platform, add the Seal CLI integration:
+
+#### GitHub Actions
+
+Add this step **immediately after** any package installation steps (like `npm install`, `pip install`, `go mod download`, etc.) and **before** build/test steps:
+
+```yaml
+      - name: 'Seal Security CLI'
+        uses: 'seal-community/cli-action@latest'
+        with:
+          mode: fix
+          fix_mode: all
+          token: <TOKEN>
+          project: <PROJECT_ID>
+```
+
+#### GitLab CI
+
+Add to the `before_script` section or as a dedicated stage after dependency installation:
+
+```yaml
+seal-security:
+  stage: .pre
+  before_script:
+    - curl -fsSL https://github.com/seal-community/cli/releases/download/${SEAL_CLI_VERSION}/seal-linux-amd64-${SEAL_CLI_VERSION}.zip -o seal.zip
+    - unzip seal.zip
+    - ./seal fix --mode all
+  variables:
+    SEAL_CLI_VERSION: latest
+    SEAL_TOKEN: <TOKEN>
+    SEAL_PROJECT: <PROJECT_ID>
+```
+
+Or add these lines to existing jobs after package installation:
+
+```yaml
+  before_script:
+    - curl -fsSL https://github.com/seal-community/cli/releases/download/${SEAL_CLI_VERSION}/seal-linux-amd64-${SEAL_CLI_VERSION}.zip -o seal.zip
+    - unzip seal.zip
+    - ./seal fix --mode all
+  variables:
+    SEAL_CLI_VERSION: latest
+    SEAL_TOKEN: <TOKEN>
+    SEAL_PROJECT: <PROJECT_ID>
+```
+
+#### Docker
+
+Add these lines **after** any `RUN npm install`, `RUN pip install`, or similar package installation commands:
+
+```dockerfile
+# Seal Security - Fix vulnerable dependencies
+ENV SEAL_TOKEN=<TOKEN>
+ENV SEAL_PROJECT=<PROJECT_ID>
+ENV SEAL_CLI_VERSION=latest
+RUN curl -fsSL https://github.com/seal-community/cli/releases/download/${SEAL_CLI_VERSION}/seal-linux-amd64-${SEAL_CLI_VERSION}.zip -o /tmp/seal.zip && \
+    unzip /tmp/seal.zip -d /usr/local/bin && \
+    seal fix --mode all && \
+    rm -f /tmp/seal.zip /usr/local/bin/seal
+```
+
+#### Other CI Platforms
+
+Provide a generic shell script approach:
+
+```bash
+export SEAL_TOKEN=<TOKEN>
+export SEAL_PROJECT=<PROJECT_ID>
+export SEAL_CLI_VERSION=latest
+curl -fsSL https://github.com/seal-community/cli/releases/download/${SEAL_CLI_VERSION}/seal-linux-amd64-${SEAL_CLI_VERSION}.zip -o seal.zip
+unzip seal.zip
+./seal fix --mode all
+```
+
+### Step 5: Confirm Changes
+
+After making the changes:
+1. Show the user what files were modified
+2. Explain where the Seal CLI step was added
+3. Remind them that `fix_mode: all` applies all available fixes automatically
+
+### Fix Mode Options
+
+If the user asks about other options, explain:
+
+- `fix_mode: all` - Apply every possible fix automatically (default, recommended)
+- `fix_mode: local` - Use local `.seal.yaml` configuration to select specific packages
+- `fix_mode: remote` - Use remote configuration from Seal Security dashboard
+
+## Important Notes
+
+- The Seal CLI must run **after** dependencies are installed but **before** any build or test steps
+- The token authenticates with Seal's artifact server to download patched packages
+- The project ID helps organize and track fixes across repositories

From 803df18a066cc19a167a65a064ceb477c1b7141f Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 20 Jan 2026 14:10:14 +0000
Subject: [PATCH 5/5] Add installation script and README for Seal Security
 skill

- Add install.sh for one-liner installation via curl
- Add README.md with installation options and usage instructions
- Support personal (~/.claude/skills/) and project-level installation
---
 .claude/skills/seal-security/README.md  | 69 +++++++++++++++++++++++++
 .claude/skills/seal-security/install.sh | 29 +++++++++++
 2 files changed, 98 insertions(+)
 create mode 100644 .claude/skills/seal-security/README.md
 create mode 100755 .claude/skills/seal-security/install.sh

diff --git a/.claude/skills/seal-security/README.md b/.claude/skills/seal-security/README.md
new file mode 100644
index 0000000..53f6de3
--- /dev/null
+++ b/.claude/skills/seal-security/README.md
@@ -0,0 +1,69 @@
+# Seal Security CLI Skill for Claude Code
+
+This Claude Code skill helps you integrate [Seal Security's CLI](https://github.com/seal-community/cli) into your CI pipelines to automatically fix vulnerable dependencies.
+
+## Installation
+
+### Option 1: One-liner install (Recommended)
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/seal-community/cli/main/.claude/skills/seal-security/install.sh | bash
+```
+
+### Option 2: Manual installation
+
+Clone or download the skill to your personal skills directory:
+
+```bash
+mkdir -p ~/.claude/skills/seal-security
+curl -fsSL https://raw.githubusercontent.com/seal-community/cli/main/.claude/skills/seal-security/SKILL.md -o ~/.claude/skills/seal-security/SKILL.md
+```
+
+### Option 3: Project-level installation
+
+Add to a specific project by copying to `.claude/skills/`:
+
+```bash
+mkdir -p .claude/skills/seal-security
+curl -fsSL https://raw.githubusercontent.com/seal-community/cli/main/.claude/skills/seal-security/SKILL.md -o .claude/skills/seal-security/SKILL.md
+```
+
+## Usage
+
+1. Open Claude Code in your project
+2. Type `/seal-security`
+3. Provide your Seal Security token when prompted
+4. Claude will automatically detect your CI platform and add the integration
+
+## Supported CI Platforms
+
+| Platform | Detection |
+|----------|-----------|
+| GitHub Actions | `.github/workflows/*.yml` |
+| GitLab CI | `.gitlab-ci.yml` |
+| Docker | `Dockerfile` |
+| Other | Manual configuration |
+
+## What it does
+
+1. **Asks for your Seal token** - Required to authenticate with Seal's artifact server
+2. **Generates a project ID** - Creates a unique identifier for your repository
+3. **Detects your CI platform** - Scans for workflow files
+4. **Adds Seal CLI integration** - Inserts the appropriate configuration
+
+## Fix Modes
+
+- `fix_mode: all` - Apply all available fixes (default)
+- `fix_mode: local` - Use local `.seal.yaml` configuration
+- `fix_mode: remote` - Use Seal Security dashboard configuration
+
+## Requirements
+
+- Claude Code CLI
+- A Seal Security account and token
+
+## Links
+
+- [Seal Security](https://seal.security)
+- [Seal CLI GitHub](https://github.com/seal-community/cli)
+- [Seal CLI Action](https://github.com/seal-community/cli-action)
diff --git a/.claude/skills/seal-security/install.sh b/.claude/skills/seal-security/install.sh
new file mode 100755
index 0000000..2e96612
--- /dev/null
+++ b/.claude/skills/seal-security/install.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+# Seal Security CLI Skill Installer for Claude Code
+# Usage: curl -fsSL https://raw.githubusercontent.com/seal-community/cli/main/.claude/skills/seal-security/install.sh | bash
+
+set -e
+
+SKILL_NAME="seal-security"
+SKILL_DIR="${HOME}/.claude/skills/${SKILL_NAME}"
+REPO_URL="https://raw.githubusercontent.com/seal-community/cli/main/.claude/skills/seal-security"
+
+echo "Installing Seal Security skill for Claude Code..."
+
+# Create skills directory if it doesn't exist
+mkdir -p "${HOME}/.claude/skills"
+
+# Create skill directory
+mkdir -p "${SKILL_DIR}"
+
+# Download SKILL.md
+echo "Downloading skill files..."
+curl -fsSL "${REPO_URL}/SKILL.md" -o "${SKILL_DIR}/SKILL.md"
+
+echo ""
+echo "Seal Security skill installed successfully!"
+echo ""
+echo "Location: ${SKILL_DIR}"
+echo ""
+echo "Usage: Type /seal-security in Claude Code to install Seal CLI in your CI pipelines."
+echo ""